FYI, there is now some developer documentation for this feature here: https://developers.google.com/privacy-sandbox/blog/grace-period-opt-out
On Fri, Jun 7, 2024 at 7:57 PM Anton Maliev <[email protected]> wrote: > Added to the explainer. Thanks for calling that out. > > On Tue, Jun 4, 2024 at 6:39 PM Caleb Raitto <[email protected]> wrote: > >> Thanks! I was mixing up the grace period and the deprecation trial. >> >> For the second part -- thanks for the context -- could you add some of >> that context to the explainer? >> >> Thanks, >> -Caleb >> >> On Tue, Jun 4, 2024 at 4:52 PM Anton Maliev <[email protected]> wrote: >> >>> Hi Caleb, >>> >>> The 3PCD grace period overrides any origin/deprecation trial tokens. >>> This is so it can act as an immediate mitigation between when a site >>> notices a breakage and applies for the trial, and when it is able to deploy >>> the tokens. So a site may choose to serve tokens for some percentage of >>> requests, but while the grace period is active this will have no effect - >>> all of the affected cookies will be allowed regardless. The well-known file >>> gives the site control over how the grace period is applied, and when it >>> opts out, the clients fall back to the deprecation trial tokens or other >>> 3PCD alternatives. >>> >>> Having each client fetch the well-known file adds the following >>> privacy/security risks. (These are distinct from the risks mentioned in the >>> Privacy/Security section, sorry for the confusion there.) >>> - It would expose client browsing history via its network requests to >>> specific .well-known resources. >>> - It would require requests to the domain of embedded sites (if there is >>> a third-party grace period active) which adds new cross-site information >>> leakage through timing attacks, etc. >>> - It would greatly increase the traffic load to the .well-known resource >>> and could overload its server. >>> - Not a privacy/security risk, but there would be a performance cost to >>> an additional request for each client navigation that could slow down the >>> browser. >>> >>> On Tue, Jun 4, 2024 at 3:09 PM Caleb Raitto <[email protected]> >>> wrote: >>> >>>> Hi -- just had some questions about this (I'm the Potassium open web >>>> platform security / privacy reviewer this week), as I was a bit confused... >>>> >>>> I'm trying to understand how the tokens work for origin trials. IIUC, >>>> the origin trial "enabled" behavior only happens if you serve the >>>> deprecation trial token on pages you want to be opted into the deprecation >>>> trial [0]. >>>> >>>> But, (perhaps this is a naive question) doesn't that mean that a server >>>> could just only serve those tokens for some percentage of requests, thereby >>>> achieving a "self-service system that gives sites the ability to opt-out of >>>> the grace period for a certain percentage of clients."? >>>> >>>> My other question is around considered alternative >>>> <https://github.com/explainers-by-googlers/3pcd-grace-period-opt-out?tab=readme-ov-file#considered-alternatives> >>>> #3, >>>> where the client fetches the .well-known file. That section says that one >>>> issue with this approach is that it "[...] accentuates the privacy/security >>>> risks of the network fetches." What is the exact nature of these >>>> privacy/security risks? I didn't see these privacy explained anywhere? The >>>> privacy issues in the security / privacy section don't seem relevant to the >>>> way the .well-known data is fetched, AFAICT. >>>> >>>> Thanks, >>>> -Caleb >>>> >>>> [0] >>>> >>>> https://developer.chrome.com/docs/web-platform/origin-trials/#take_part_in_an_origin_trial >>>> >>>> On Tuesday, May 28, 2024 at 2:42:26 PM UTC-4 Vladimir Levin wrote: >>>> >>>>> LGTM3 >>>>> >>>>> On Tue, May 28, 2024 at 12:55 PM Ben Kelly <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> On Tue, May 28, 2024 at 10:59 AM Vladimir Levin <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hey Anton, >>>>>>> >>>>>>> Can you please request reviews for the various chips >>>>>>> [image: chips.png] >>>>>>> >>>>>> >>>>>> Done. Thanks. >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> Vlad >>>>>>> >>>>>>> On Mon, May 27, 2024 at 3:09 AM Yoav Weiss (@Shopify) < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> LGTM2 >>>>>>>> >>>>>>>> On Fri, May 24, 2024 at 5:53 PM Anton Maliev <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I see the concern. The 3P can use document.hasStorageAccess() >>>>>>>>> <https://developer.mozilla.org/en-US/docs/Web/API/Document/hasStorageAccess> >>>>>>>>> to >>>>>>>>> check for cookie support, which accounts for the grace period and >>>>>>>>> opt-out. >>>>>>>>> (It would return true if there is an active grace period on the 1P or >>>>>>>>> 3P >>>>>>>>> that affects the current frame, or false if the current client is >>>>>>>>> opted >>>>>>>>> out.) Per the linked I2S, we recommend document.hasStorageAccess() >>>>>>>>> instead >>>>>>>>> of navigator.cookieEnabled moving forward for validation relating to >>>>>>>>> Chrome's 3PCD rollout - the latter doesn't return the correct value >>>>>>>>> for >>>>>>>>> this case. >>>>>>>> >>>>>>>> >>>>>>>> Thanks! That makes sense. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> This also depends if the 3P in question is also on the grace >>>>>>>>> period. If it is not, we would expect them to notice any breakage on >>>>>>>>> other >>>>>>>>> 1Ps as well. >>>>>>>>> >>>>>>>>> On Thursday, May 23, 2024 at 4:17:14 PM UTC-4 Yoav Weiss wrote: >>>>>>>>> >>>>>>>>>> On Thu, May 16, 2024 at 4:15 PM Anton Maliev < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> > Will developers have a way of knowing if the current site >>>>>>>>>>> (where they may see breakage metrics) is opted-out of the grace >>>>>>>>>>> period? >>>>>>>>>>> >>>>>>>>>>> Google is planning to build a site dashboard where developers >>>>>>>>>>> can check on the status of their grace period and opt-out values. >>>>>>>>>>> In the >>>>>>>>>>> interim, Chrome DevTools shows an Issue for third-party cookies >>>>>>>>>>> which are >>>>>>>>>>> allowed due to the grace period - this can be used to validate >>>>>>>>>>> whether the >>>>>>>>>>> grace period is active for that particular client. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> While that's potentially useful, that's not what I had in mind. >>>>>>>>>> If a site opt-outs of the grace period, that may impact 3Ps that >>>>>>>>>> the site embeds. >>>>>>>>>> Those 3Ps (if they are not ready for it) are likely to notice >>>>>>>>>> some drop in their functionality or conversion, but they'd need a >>>>>>>>>> way of >>>>>>>>>> attributing that to the lack of 3P cookies. >>>>>>>>>> >>>>>>>>>> At the same time, while writing this, I was reminded of >>>>>>>>>> navigator.cookieEnabled >>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/xU3gTW4aTfg/m/LaUu7IN2BAAJ?utm_medium=email&utm_source=footer>. >>>>>>>>>> Do I understand correctly that it would indicate the lack of 3P >>>>>>>>>> cookie >>>>>>>>>> support in these cases? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> > Do you have a rough estimate on the length of the grace >>>>>>>>>>> period? (I'm guessing this will not be relevant after it) >>>>>>>>>>> >>>>>>>>>>> That's correct, a site will no longer need an opt-out file after >>>>>>>>>>> it is removed from the grace period. Each grace period entry has >>>>>>>>>>> its own >>>>>>>>>>> expiration date, depending on when the site applied for the >>>>>>>>>>> deprecation >>>>>>>>>>> trial. We will need to assess the demand for new sites onboarding >>>>>>>>>>> to the >>>>>>>>>>> trial before we can give an estimate on how long we will continue to >>>>>>>>>>> support grace periods overall. >>>>>>>>>>> >>>>>>>>>>> On Thursday, May 16, 2024 at 3:56:15 AM UTC-4 Yoav Weiss wrote: >>>>>>>>>>> >>>>>>>>>>>> This is an odd one, but I agree that it's a web exposed feature >>>>>>>>>>>> and hence should go through the blink process. Thanks for sending >>>>>>>>>>>> this! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, May 14, 2024 at 11:15 PM Anton Maliev < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Contact emails >>>>>>>>>>>>> >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>> Explainer >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> https://github.com/explainers-by-googlers/3pcd-grace-period-opt-out >>>>>>>>>>>>> >>>>>>>>>>>>> Specification >>>>>>>>>>>>> >>>>>>>>>>>>> Well-known resource specification: >>>>>>>>>>>>> https://github.com/explainers-by-googlers/3pcd-grace-period-opt-out/blob/main/well-known-specification.md >>>>>>>>>>>>> >>>>>>>>>>>>> Summary >>>>>>>>>>>>> >>>>>>>>>>>>> This proposal details a new mechanism for site developers to >>>>>>>>>>>>> conduct a self-service staged opt-out of their third-party cookie >>>>>>>>>>>>> phaseout >>>>>>>>>>>>> grace period. This is intended primarily for Chrome’s active >>>>>>>>>>>>> trials for >>>>>>>>>>>>> third-party cookie deprecation - one for top-level sites >>>>>>>>>>>>> <https://developers.google.com/privacy-sandbox/3pcd/temporary-exceptions/first-party-deprecation-trial> >>>>>>>>>>>>> and one for embedded sites >>>>>>>>>>>>> <https://developers.google.com/privacy-sandbox/3pcd/temporary-exceptions/third-party-deprecation-trial>. >>>>>>>>>>>>> When a site is approved for one of these trials, they are added >>>>>>>>>>>>> to a >>>>>>>>>>>>> short-term grace period which mitigates breakage until the token >>>>>>>>>>>>> is >>>>>>>>>>>>> launched. Sites may also use this opt-out to test long term >>>>>>>>>>>>> solutions. >>>>>>>>>>>>> >>>>>>>>>>>>> Each site on the trial will specify their desired opt-out >>>>>>>>>>>>> percentage in a new resource in their .well-known directory >>>>>>>>>>>>> <https://datatracker.ietf.org/doc/html/rfc8615>, specified >>>>>>>>>>>>> here >>>>>>>>>>>>> <https://github.com/explainers-by-googlers/3pcd-deprecation-trial-staged-rollout/blob/main/well-known-specification.md>. >>>>>>>>>>>>> Google will implement server infrastructure to fetch and update >>>>>>>>>>>>> these >>>>>>>>>>>>> values on a schedule, and assign clients randomly to cohorts >>>>>>>>>>>>> matching this >>>>>>>>>>>>> percentage. These cohorts persist for a client up until clearing >>>>>>>>>>>>> site >>>>>>>>>>>>> storage or reinstalling the browser. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Will developers have a way of knowing if the current site >>>>>>>>>>>> (where they may see breakage metrics) is opted-out of the grace >>>>>>>>>>>> period? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Blink component >>>>>>>>>>>>> >>>>>>>>>>>>> Privacy <https://b.corp.google.com/components/1457231> >>>>>>>>>>>>> >>>>>>>>>>>>> TAG review >>>>>>>>>>>>> >>>>>>>>>>>>> N/A >>>>>>>>>>>>> >>>>>>>>>>>>> TAG review status >>>>>>>>>>>>> >>>>>>>>>>>>> N/A >>>>>>>>>>>>> >>>>>>>>>>>>> Risks >>>>>>>>>>>>> >>>>>>>>>>>>> There aren’t inherent security implications for fetching >>>>>>>>>>>>> external resources using server-side infrastructure, but there is >>>>>>>>>>>>> a risk of >>>>>>>>>>>>> fetching bad data, which our implementation addresses. >>>>>>>>>>>>> >>>>>>>>>>>>> There are also privacy implications for randomly assigning >>>>>>>>>>>>> clients to cohorts, which we mitigate by clearing cohorts on site >>>>>>>>>>>>> data >>>>>>>>>>>>> deletion. There is also a risk that the fetching system fails or >>>>>>>>>>>>> that a >>>>>>>>>>>>> site loses access to its .well-known resource, both cases which >>>>>>>>>>>>> we have >>>>>>>>>>>>> planned mitigations for. >>>>>>>>>>>>> >>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>> >>>>>>>>>>>>> The third-party cookie deprecation trials are a Chrome >>>>>>>>>>>>> feature, so these new well-known resources will only be fetched >>>>>>>>>>>>> by the >>>>>>>>>>>>> Chrome browser. The new resource will be distinct and will not >>>>>>>>>>>>> interfere >>>>>>>>>>>>> with any existing resources used by other browsers or features. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Beyond that, I think that the fact that this is a short-lived >>>>>>>>>>>> capability also significantly reduces risk. >>>>>>>>>>>> Do you have a rough estimate on the length of the grace period? >>>>>>>>>>>> (I'm guessing this will not be relevant after it) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> WebView application risks >>>>>>>>>>>>> >>>>>>>>>>>>> Does this intent deprecate or change behavior of existing >>>>>>>>>>>>> APIs, such that it has potentially high risk for Android >>>>>>>>>>>>> WebView-based >>>>>>>>>>>>> applications? >>>>>>>>>>>>> >>>>>>>>>>>>> No >>>>>>>>>>>>> >>>>>>>>>>>>> Debuggability >>>>>>>>>>>>> >>>>>>>>>>>>> N/A >>>>>>>>>>>>> >>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>>>> >>>>>>>>>>>>> All except WebView. (Third-party cookie deprecation launches >>>>>>>>>>>>> don’t include WebView.) >>>>>>>>>>>>> >>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>>>>>>> ? >>>>>>>>>>>>> >>>>>>>>>>>>> No >>>>>>>>>>>>> >>>>>>>>>>>>> Flag name on chrome://flags >>>>>>>>>>>>> >>>>>>>>>>>>> N/A >>>>>>>>>>>>> >>>>>>>>>>>>> Finch feature name >>>>>>>>>>>>> >>>>>>>>>>>>> base::features::TpcdMetadataStageControl >>>>>>>>>>>>> >>>>>>>>>>>>> Non-finch justification >>>>>>>>>>>>> >>>>>>>>>>>>> N/A >>>>>>>>>>>>> >>>>>>>>>>>>> Requires code in //chrome? >>>>>>>>>>>>> >>>>>>>>>>>>> No. All code for the grace period and new staged opt-out >>>>>>>>>>>>> handling is in //components/tpcd/metadata >>>>>>>>>>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/tpcd/metadata/> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>>> Estimated milestones >>>>>>>>>>>>> >>>>>>>>>>>>> Client support is shipping to M125 on May 14. Server-side >>>>>>>>>>>>> file processing will begin some time after that date. A separate >>>>>>>>>>>>> notice >>>>>>>>>>>>> will be sent when that process begins. >>>>>>>>>>>>> >>>>>>>>>>>>> Anticipated spec changes >>>>>>>>>>>>> >>>>>>>>>>>>> None >>>>>>>>>>>>> >>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>> >>>>>>>>>>>>> https://chromestatus.com/feature/5205350707101696 >>>>>>>>>>>>> >>>>>>>>>>>>> Links to previous Intent discussions >>>>>>>>>>>>> >>>>>>>>>>>>> Intent to prototype: >>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/O9mh5XvbqqE/m/IyK22zHkAAAJ >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAODhGg7m2ARTr5%3DxE0Jex1bcmQ2ySUZRa%3DJSWpW6UuX56sD5Yg%40mail.gmail.com >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAODhGg7m2ARTr5%3DxE0Jex1bcmQ2ySUZRa%3DJSWpW6UuX56sD5Yg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>> >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/25be1203-c642-426a-bfeb-27592e50e113n%40chromium.org >>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/25be1203-c642-426a-bfeb-27592e50e113n%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJif6nxD4S5hcwoO%3DB1vSzHBphr0E%3DxuzLxRHBfVsbk9g%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJif6nxD4S5hcwoO%3DB1vSzHBphr0E%3DxuzLxRHBfVsbk9g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2M2d%2Byw2hPYBGAhiQ5Hwj5C27VdgYcaYuj_Uq4DUJwPoA%40mail.gmail.com >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2M2d%2Byw2hPYBGAhiQ5Hwj5C27VdgYcaYuj_Uq4DUJwPoA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMhBom03OwAvRWrS2UPmRmLqWqOQPWCb97K6P%2Bx0e1S%3D7Q%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMhBom03OwAvRWrS2UPmRmLqWqOQPWCb97K6P%2Bx0e1S%3D7Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMhLHU_y-tXiEO%3D3YwZ9VZkfL0mK5SxPVxtFNOAjZVks7w%40mail.gmail.com.
